Attack shuts down SCO site

A large-scale denial of service attack, apparently the result of the MyDoom worms that spread across the Internet last week, has shut down the Website of the SCO Group Inc. of Lindon, Utah.

'Internet traffic began building momentum on Saturday evening and by Midnight Eastern Time the SCO Website was flooded with requests beyond its capacity,' the company announced today. 'The company expects these attacks to continue through Feb. 12.'

MyDoom began spreading rapidly Monday through e-mail and peer-to-peer file sharing connections, and a variation of the worm appeared Wednesday. Both versions carried instructions programming infected computers to launch denial of service attacks against www.sco.com on Feb. 1. The second version also appears to target the Microsoft Corp. site for a Feb. 3 attack.

MyDoom appears to be programmed to shut itself down Feb. 12.

Tuesday's attack could be less serious than today's, as cleanup of the worms seems to be outpacing new infections, according to Network Associates Inc. of Santa Clara, Calif.

'We saw numbers of up to 800,000' infections, said Vincent Gullotto, vice president of Network Associates' Antivirus Emergency Response Team. 'Going into this weekend, we saw about 200,000. The cleanup seems to be going well.'

Gullotto said there have been about 1 million downloads in January of a Network Associates tool used to clean up MyDoom as well as other threats. About 80 percent of the downloads were in the last week.

Jeff Carlon, director of SCO's IT infrastructure, said the company has contingency plans to deal with the denial of service attacks, but would not begin implementing them until Monday.

The motive behind MyDoom is unclear. The SCO attack appears to be a statement about lawsuits filed by SCO in connection with controversial claims to copyright in some elements of the Linux open source operating system. But both versions of the worm also install back doors on infected machines, opening up ports that could let the computers be used as relays for spam distribution. Many security experts question why spammers would use such a high-profile method for establishing a clandestine network spam, however.

Variants of successful malicious code have become a trend in the past year, and Gullotto said new versions of MyDoom could be likely over the next month. Likelihood of new outbreaks probably would drop after that.

MyDoom was not particularly sophisticated, technically, but owed its rapid spread to its ability to quickly generate mass e-mails from an infected machine and social engineering that tempted victims to open the e-mail and attachment. The worm often appeared to be a notification of a failed delivery of an e-mail sent by the victim. Gullotto said he expected to see new but similar methods of snaring victims in subsequent versions.'